1. 25

On your settings page you can auth your Twitter and GitHub accounts. Twitter was added so the bot can credit you when it announces stories (and we plan equivalent Fediverse support as part of ActivityPub integration). Pretty much everyone’s on GitHub, so that makes sense even if the site doesn’t do anything special with it. With n=2, as much as we can define the current policy it’s “whatever’s useful to the site, plus GitHub”.

We just received a PR to add Keybase support. To decide if I should work with the author to complete it, I wanted to ask folks if they would find Keybase particularly useful, and what our criteria should be for these integrations. What makes an integration worth the dev time to add and maintain?

  1.  

  2. 15

    As I see it, there are two ways to think about answering this question.

    1. Yeah, I use keybase and I have some “proofs” on my account already and I would make use of this lobste.rs feature if it gets merged.

    2. Last time I encouraged people to use a service, it eventually became Alphabet. Does the Keybase company deserve my seal of approval? We’re talking about giving them a bunch of attention/votes/free advertising/energy/power. I dunno. They seem to be good people, but they are a for-profit company. They are playing the open source client, proprietary server game.

    1. 7

      but they are a for-profit company.

      Venture-funded, too. They and anything that IPO’s get even more evil. The one you mentioned, Alphabet, is one of my favorite examples.

    2. 12

      I have a Keybase account, and apart from the initial flurry when I set it up I have never used it.

      I would not find such an integration useful, personally.

      FWIW I have authenticated both my Twitter and Github account with Keybase already. Anyone doubting my provenance or ownership of my accounts there can already check that out.

      1. 3

        Same here. I used my keybase account so little (never), that eventually I just deleted it.

      2. 11

        I would find Keybase integration useful. I’m in the core audience: People who have a specific reason to worry about others trying to impersonate their friends, in my case due to political activity and online harassment mobs.

        I share the concerns that others have about it being a for-profit company, but there’s simply no comparable service. The closest open source equivalent is the PGP web of trust, which… I might someday understand, but it will never be usable enough that I can teach others how to use it.

        1. 2

          AFAIK Keybase doesn’t support 1) storing whether you verified a persons identity e.g. by exchanging fingerprints in person nor 2) finding a possible path in a web of trust nor 3) storing and calculating if you trust the people from 2.

          Thus I think the closest GPG equivalent of how to handle keys is trust on first use and keeping your keyring in git without any web of trust and without signing others keys.

          1. 2

            Agreed. However, verifying keys isn’t the whole picture. Verifying social media profiles is also important.

        2. 9

          I may be coming in to this conversation a bit late, but I work on the Keybase project. I’m keybase.io/chris on keybase, not that I can prove that easily here (yet :-) ). This might help: https://chris.keybase.pub/lobsters.txt . Some people asked me to come here and offer support for this.

          We and plenty of others have already written extensively about why PGP is inadequate (especially the old keyserver model, which is unusable for most people and dangerous in certain ways), and (2) why we need to find a way to let people cryptographically prove connections between services and keys, using usable software. So I won’t add more here. But a few specific thoughts:

          (1) I personally would want to look at a user in Keybase and, if they’re interested, know who they are here on lobste.rs. I only lurk here occasionally, but I feel like I can learn a lot more about a person’s identity following them here than, say, to other services.

          (2) I’d like to see transitive connections between something like their personal site, their GitHub (or upcoming other git integrations), and lobste.rs.

          (3) The PR actually isn’t complicated, and it doesn’t prevent connections to other services, cryptographic or not.

          (4) There’s not much I can say to the “Keybase is a private company” thing. Not all companies are evil. But answering that is like responding when my brother tells me to relax. I AM FREAKING RELAXED DAN. And yeah, Keybase is funded in the traditional model, and tbh we couldn’t have gotten it to where it is without that model.

          (5) There are different forms of Internet idealism that share a common user base : decentralization, privacy, security, “freedom” (as in free), etc. These are all different ideals that we idealists are all pursuing. But almost no one is tackling every single one at once with a project, and if so, good luck to that project. One of my least favorite things is when the different attempts to solve these problems with the Internet don’t satisfy each other on every axis, and halt the advancement of all of them. You can imagine lobste.rs being mad that Keybase is a company, Keybase being mad lobste.rs data isn’t digitally signed (or its chat encrypted), IPFS being mad both aren’t decentralized enough. Everyone mad at everyone. But all of us can help each other.

          Like I said, there’s nothing I can say to this, except I’d love to see Keybase<>Lobsters, and if you do it, I’d encourage you to remove the integration as soon as you feel Keybase is sucky. I bet that wouldn’t happen.

          1. 5
            1. “PGP sucks and we need something with a better UI!”
            2. Someone makes something with a better UI.
            3. “But this isn’t 100% developed in a way I like it, we can’t use this!”

            And nothing ever changes and we’re still stuck with [pg]pg that even many tech people can’t figure out… 🤷

            1. 4

              Hi, Chris. Thank you.

              My concern about “Keybase is a private company” is that it will compel your developers to make decisions that are technically weak. I’m not just talking about the server source code here–though that is huge.

              I am going to construct some specific questions as examples of a class of questions that I think are important. (I invite other crustaceans to ask questions, while we’ve got Chris’s ear.)

              Is or is not the Keybase company willing to make a technical improvement to the chat protocol which would eliminate the company’s ability to measure user engagement but increase user security?

              Would the Keybase company merge a PR into the official client which added a UI to the that presents an option for connecting to an alternative server?

              What happens to files I have stored in KBFS and my contacts list, etc if Facebook buys the Keybase company? Would the company merge a PR now that strengthens users ownership of their data, even if doing so makes Keybase a less attractive acquisition?

              1. 6

                edit: formatting

                • yes, I would choose user security over user engagement tracking. Working on Keybase the product is a nightmare for us, from a UX management standpoint. That is, compared to previous work we’ve done, where we had a lot of good tools at our disposal. if you look through our client you’ll see there’s nothing in there that exists to serve tracking purposes. Everything is about trying to make usable, cryptography. Any compromises are typically an internal conflict between convenience and security (which is the real dilemma, not tracking and security). Heck, even our website doesn’t have google analytics or any 3rd party hosted JS. Lobstahs and Keybase FTW.

                • in spirit yes, in practice no. I fear shooting myself in the foot here by admitting that to the people who place decentralization on a higher pedestal than encryption, when forced to choose. But our biggest fear would actually be security related. We’re suuuuuper scared of most PR’s. Even small things, like a few lines, we end up re-writing from scratch ourselves. I honestly don’t care about hosting Keybase’s data. It would be cheaper/cooler if a user could host it elsewhere. To be clear, though, the second biggest issue is effort. Keybase isn’t just a half-dozen API endpoints: there’s server infrastructure in the form of traditional API endpoints, real-time streaming stuff, and an encrypted filesystem. Moreover there’s a presumption that users are all connected, so it’s hard to imagine how the client would work where you and I can talk on it, but my data is on my servers and your data is on your servers. It would take multiple person-years of effort to have some awesome thing working like that. And Keybase wouldn’t be where it is right now if we focused on this, and realistically….something like 1-in-1000 Keybase users ask for this. As an alternative, consider the fact that Keybase lets you speak easily and securely with someone else to secure other modes of comm. Want to use IPFS + some other encryption software? Exchange your keys on Keybase and don’t look back. We got you started safely! A Keybase integration makes this possible, and we’re happy to have helped. Want to use Signal? Share your phone number and compare your security codes on Keybase. Want to use Tarsnap for backups? Keep your key in KBFS. You can bootstrap using all kinds of other software using Keybase; we make totally decentralized software better. And then don’t actually use Keybase’s chat or filesystem for anything else. I’d propose this is the better answer than a Keybase that can understand different servers.

                • there’s nothing I can do to address the “what’s stopping you from eventually releasing a bad client” angle… I don’t want this to happen. My answer will continue to be “the client wouldn’t be this good if we weren’t a company” even if it appears that by being a company we’re more likely to have a bad client.

                hope I haven’t shot myself in the foot with admitting some of the difficulties here. Again, (1) this integration would just be used by the people who want it, and (2) lobste.rs could remove it whenever they decide they dislike it.

                Thanks for the q!

              2. 1

                I do appreciate your engaging. I agree with all your points. On point (4), I don’t think any ill will is necessary to wind up with bad outcomes. The incentives of for-profit corporations are such that, when the service they’re providing is essentially for the public benefit, everyone should give careful thought to how the company’s needs and the public’s needs might diverge over time.

                Case in point: I’m sure that my employer was sincere about “don’t be evil” when it was first raised as an informal motto - at a time when the company was much closer in size to the size Keybase is now. I’m equally sure that nobody at the top feels that they have changed direction or betrayed their ideals, even with all the controversies the company has been through in the past two years.

                With all that said, as I remarked elsewhere in this thread, I rely on Keybase day-to-day and am in favor of the integration.

                1. 1

                  Would you be willing to spend the necessary implementation work so that Keybase doesn’t compete with OpenPGP public key signatures / web of trust / keyservers, but instead cooperates with it? Specifically if the user has a GPG key by supporting in Keybase to:

                  A) Make the signatures used in account proofs so that they can be verified with a GPG public key.

                  B) Export/sync account claims/associations with GPG public key identities.

                  C) Allow a user to automatically sign their GPG keys when they follow another user. (Use the appropriate format to indicate that the fingerprint was not received over a secure channel and the identity of the human wasn’t checked. Only sign the identities in the key that were verified. Optionally: If the user states that they received a fingerprint e.g. in person and verified the identity of the human, by e.g. pasting a fingerprint of another user, indicate that instead.)

                2. 8

                  (I’m the author of the PR)

                  Keybase is a public key database, and one of the things they have added that other large public key databases (such as SKS and PGP) lack is the ability to tie other accounts across the internet to your public key. This reduces the chances of someone MITMing your communication with someone else.

                  This being said, I also rarely use keybase itself, but I had some free time and I wanted to see what ruby on rails was like.

                  1. 7

                    They didn’t need to add the ability to tie other accounts across the internet to your public key. Signing your username would amount to that with a public key lookup. Just put it in your bio. No central server needed.

                    1. 2

                      That’s what most users have been doing, too.

                    2. 2

                      So why not something open like the MIT keyserver instead?

                      1. 4

                        I’m not sure what you’re asking here. (And the MIT keyserver is actually just part of the SKS pool)

                      2. 2

                        In OpenPGP to tie other accounts across the internet to your public key is not the responsibility of the public key transport / database / directory, but the clients based on information in the public key. While an OpenPGP public key conflates the account on some service with the Name of the person and possibly some other things called identity, it does support it. It is specified in the OpenPGP RFC4880 under the name User ID Packet which is called an identity in the GPG CLI. Usually people use it to tie a GPG key to an email address, but the specification does not restrict it to only email accounts.

                      3. 8

                        I like Keybase to prove that an account belongs to me (as much as you can “prove” anything). Ideally, I’d like to link all accounts I have to it for this purpose (including Lobsters).

                        You could get the same by adding a new homepage field and adding rel="me" to that, I suppose, but it’s just a spec without a UI so not exactly the same. Lobsters could of course do both.

                        1. 8

                          I’ve never heard of someone actually using Keybase (past setting it up and following people they recognize). It’s cool and crypto is nice to have, but in terms of practicality I don’t think anyone will use it.

                          Edit: Not to say that it shouldn’t be added for sure - consider this a neutral vote :P

                          1. 9

                            I’ve used it. I actively use it, actually. Currently using it primarily for VCS and comms for a stealth project (a little less stealth now, lol).

                            1. 2

                              Also use it from time to time. Notably, the chat feature helped me get a lobste.rs invitation by “cold calling” a person whose nickname I knew from HN. Recently also used it as a way to contact another person I couldn’t easily find email of. Besides, occassionally using it for moving files between my computers (i.e. “cloud disk”).

                          2. 6

                            I would not find it useful and I don’t like how keybase keeps their server closed source. If you add it I won’t be using it but others might.

                            1. 4

                              What makes an integration worth the dev time to add and maintain?

                              This is a very good question.

                              Actually there was a long debate on PR adding support for Keybase on Mastodon and one of concerns raised against Keybase integration was the complexity of the protocol and that it’s tied to Keybase only. Twitter is also a for-profit company but the integrationis I guess it’s vastly simpler (I haven’t seen the code on lobsters but did the Twitter integration for other project).

                              On the other hand people want to connect to their other profiles but lobste.rs doesn’t have link rel=me support too so maybe there is no harm adding Keybase integration now.

                              (Personally I’m not quite happy with Keybase’s embrace-extend-extinguish strategy w.r.t. OpenPGP, slowly replacing standards with their proprietary crypto schemes (even if they’re based on widely used crypto primitives) but it seems there is no viable, fully open-source alternative to their identity service).

                              1. 1

                                lobste.rs doesn’t have link rel=me support

                                Note: it does now (since yesterday). It’s added on the GitHub, Twitter, and the homepage fields in your profile (the homepage field is new).

                                CC: @stevelord (since you also mentioned it in your comment)

                                1. 1

                                  Excellent! Thank you for the update!

                              2. 5

                                It might be worth considering the recent thread on Mastodon’s keybase integration. I made some comments about the nature of Keybase and nature of Mastodon there. There were some responses that might be useful here.

                                Personally I share /u/sebboh’s concerns highlighted in point 2. Keybase fall short of being fully good-faith actors when it comes to open source (IMHO), and there’s a very real risk that in pivoting to be a centralized identity verification service, that people will become reliant on their good will.

                                There are alternative methods like rel=me that could work here, although I appreciate nobody’s issued a PR for it.

                                1. 3

                                  I would use this support, and support doing this. I don’t use Keybase terribly actively, but I do pay attention to proofs posted there for certain folks who I interact with on multiple platforms.

                                  I share some of the concerns posted in this thread, but I think Keybase adds enough value to be worth the trade-offs.

                                  1. 2

                                    Deployed the PR for Keybase integration today.

                                    1. [Comment removed by author]

                                      1. 2

                                        Oh, yeah, I didn’t think about the time management perspective. As far as time management goes, @pushcx, it’s your time. Please don’t feel obligated to use it on things you don’t care about.

                                        1. [Comment removed by author]

                                          1. 2

                                            I mean… I take your point, and I’m sorry you feel that way. As a mod myself, I know that pushcx puts a ton of work into running the site, entirely on a volunteer basis, and I personally feel that it’s totally legit to only want to spend effort on features that are worth it, whatever “worth it” may mean. However, I also recognize that I have no right to tell you how to feel about it.

                                      2. 1

                                        I use keybase for work. It’s the only encrypted messaging platform outside of personal chat where I can ask a peer to go setup keybase and they can do that on their own successfully without my needing to help them through it. I would use the lobsters verify if we had it, but it’s definitely nothing more than an “oh neat” addition.

                                        1. 1

                                          I would like to have keybase, personally. I think it’s a fantastic concept.